cloud workload protection platform (CWPP)

What is a cloud workload protection platform (CWPP)?

A cloud workload protection platform (CWPP) is a security tool designed to protect workloads that run on premises, in the cloud or in a hybrid arrangement. An organization might choose a CWPP because of the difficulty in monitoring workloads across the many locations that constitute a complex, modern IT environment. This type of protection is one element in a broader cloud security strategy.

A key selling point for CWPPs is they can safeguard workloads, regardless of where, or in what form, they run.

A CWPP automatically and continuously monitors workloads for threats. A CWPP's focus on the workload itself differentiates it from other security tools, which might instead aim to protect networks or other infrastructure components. A workload can be a physical server, virtual server, serverless function, container or something else -- whatever resource is necessary to support and deploy an application.

It is common for workloads to exist in hybrid and multi-cloud environments. This makes it difficult for security teams to have full visibility into those workloads. Vendors in the CWPP category position their products to be a remedy to this visibility problem, offering ongoing monitoring of workloads that might be running on premises, in one or more cloud environments, or in some combination thereof.

CWPP's purpose

A CWPP is designed to work in an autonomous fashion to identify workloads and examine them for vulnerabilities. When the tool assesses that a workload is not adequately protected, it can apply appropriate security standards.

The automation in CWPPs might detect a vulnerable container image, abnormal workload behavior and workloads that fail to meet compliance standards, as well as malware and other signs of infiltration.

These automated security checks take on greater importance as more organizations adopt continuous integration/continuous delivery, which is the practice of active, iterative development and release of software. A security-minded organization wants to be confident that its workload monitoring keeps up with those rapid releases, and that's where the automation of a CWPP comes into play. It should be able to identify misconfigurations and other security vulnerabilities in software before release. Ideally, these alerts come early enough in the process that they do not unduly slow the development team's progress.

Depending on the tool, a CWPP might take an agent-based approach, which is when the tool installs software sensors into the workload to closely track its runtime behavior. While these agents provide greater visibility, they add complexity and can diminish the performance of resources.

While a CWPP works alongside other security tooling, its role is distinct.

It differs from unified endpoint management, which is mostly concerned with the control of devices. And a CWPP has a separate mission than cloud security posture management (CSPM) tool, which seeks to identify compliance problems, misconfigurations or other weaknesses in cloud infrastructure. A tool categorized as a cloud native application protection platform (CNAPP), meanwhile, focuses on security of the application itself.

Many cloud security experts encourage organizations to use CWPPs in concert with CSPM, CNAPPs and other security products. This approach provides a more comprehensive defense against never-ending security threats.

Capabilities of CWPP

Important capabilities of CWPPs include the following:

• Broad visibility. By knowing which workloads are running across private cloud, hybrid cloud, public cloud and multi-cloud environments, a security team is able to understand more fully what it is trying to protect.
• Workload immutability. Someone trying to gain illicit access to systems can work their way past security measures by making changes to the servers used by a deployed workload. Immutability features prohibit such changes.
• Malware protection. Automated scans look for the arrival of malware.
• Application oversight. This protection automatically blocks installation of any software that is not on an organization's list of approved applications.
• Configuration monitoring. Workloads that aren't securely configured provide intruders with easy access. Configuration monitoring can alert a security team to misconfigurations -- and sometimes suggest fixes for them.
• Workload isolation. Some tools use a technique known as microsegmentation to isolate workloads. This limits what can be shared between workloads, making them less-inviting targets.

Challenges with CWPP tools

Security vendors have put a lot of products into the CWPP market in recent years. In assessing the options, consider the following potential complications:

• Compatibility. Most organizations use many types of applications, workloads, cloud architectures and cloud platforms. Getting all of those to work effectively with a particular workload protection tool might be a challenge.
• Integration. To be effective, a CWPP tool needs to integrate with the other security controls and tools that an organization already has in place.
• Scalability. A successful business can expect the number of cloud workloads it runs to grow in the years to come. A workload security tool needs to scale to match that growth.
• Tool selection. Identifying a product or products to protect cloud workloads and cloud applications is a complex task. Each vendor includes different capabilities in their tools. Some propose to do it all; other products are more focused on specific tasks. This makes comparing them a challenge.